diff --git a/ChangeLog b/ChangeLog index 8722b27c5..7aa8775a2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,6 +10,11 @@ Security one using PrintableString and the other UTF8String) or in the choice of upper and lower case. Reported by HenrikRosenquistAndersson in #1784. + * Fix a flawed bounds check in server PSK hint parsing. In case the + incoming message buffer was placed within the first 64KB of address + space and a PSK-(EC)DHE ciphersuite was used, this allowed an attacker + to trigger a memory access up to 64KB beyond the incoming message buffer, + potentially leading to application crash or information disclosure. * Fix mbedtls_mpi_is_prime() to use more rounds of probabilistic testing. The previous settings for the number of rounds made it practical for an adversary to construct non-primes that would be erroneously accepted as diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 5720a4b88..ff576f3a8 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -2109,7 +2109,7 @@ static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl, * * opaque psk_identity_hint<0..2^16-1>; */ - if( (*p) > end - 2 ) + if( end - (*p) < 2 ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message " "(psk_identity_hint length)" ) ); @@ -2118,7 +2118,7 @@ static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl, len = (*p)[0] << 8 | (*p)[1]; *p += 2; - if( (*p) > end - len ) + if( end - (*p) < (int) len ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message " "(psk_identity_hint length)" ) );